Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
5
Helpful
4
Replies

Access list question

tinhnho123
Level 2
Level 2

‎10-12-2020 07:57 PM

Hi guys,

 

I've created this access list on my switch C9300 for testing:

 

ip access-list extended My_RDP

   10 permit tcp any range 3389 3390 any
   20 permit udp any range 3389 3900 any
   30 permit ip any any

And then apply this ACL above to my interface g1/0/1

  ip access-group My_RDP in

 

I can RDP to the PC which connected to this interface g1/0/1 from other PC just fine but when i do 'show ip access-list My_RDP' on my switch  I don't see any packet matched, did I do something wrong here? 

 

Thanks!

0 Helpful
4 Replies 4

tinhnho123
Level 2
Level 2

‎10-12-2020 08:32 PM

I've added this into the ACL 'My_RDP':

       5 deny icmp any any log

 

And the result as expected that I can't ping the PC which connected to interface g1/0/1 now but I still don't  see any matched packet for the icmp deny from my acl either. Was my acl wrong?

0 Helpful

paul driver
VIP
VIP
In response to tinhnho123

‎10-13-2020 12:44 AM - edited ‎10-13-2020 12:54 AM

Hello
Access-list can be processed in either hardware (dedicated asics cards) or software (CPU) or the router/switch
On the 9300 there are most probably being hardware processed however when you enable the log or log-input keyword then the logging of the acl is usually is processed by the CPU of the router/switch, With you not seeing a hits on the acl it could be that  the logging is being hardware processed however I wouldnt expect it to be - Curious have you tried the log-input keyword.

 

Editied-  Please review this post ive come across its from two hall of famer's Rick and Jon -  I think theyve explained better then I have


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Georg Pauwen
VIP
VIP

‎10-13-2020 02:07 AM

Hello,

 

check what results the command:

 

show platform software fed switch { switch_num | active | standby } acl counters hardware

 

renders.

tinhnho123
Level 2
Level 2
In response to Georg Pauwen

‎10-13-2020 07:26 AM - edited ‎10-13-2020 07:27 AM

Thanks Guys!

I added 'log' at the end of 'deny icmp any any' so the my acl looks like this now:

ip access-list extended My_RDP

    5 deny icmp any any log
   10 permit tcp any range 3389 3390 any log
   20 permit udp any range 3389 3900 any log
   30 permit ip any any log

 

I've been sending some pings to that PC and getting icmp dropped. I ran the command below:

show platform software fed switch active acl counters hardware

 

Is this line where I'm supposed to see?:

Ingress IPv4 PACL Drop (0x5a000005): 152 frames

0 Helpful
Customers Also Viewed These Support Documents